An approach to Separation of Duties validation for MILS security - - PowerPoint PPT Presentation

an approach to separation of duties validation for mils
SMART_READER_LITE
LIVE PREVIEW

An approach to Separation of Duties validation for MILS security - - PowerPoint PPT Presentation

Sep 01, 2022 164 likes •448 views

An approach to Separation of Duties validation for MILS security configurations Semen Kort, Dmitry Kulagin, Ekaterina Rudina Future Technologies Kaspersky Lab The objectives Discover the Describe how the Describe the

slide-1
SLIDE 1

Semen Kort, Dmitry Kulagin, Ekaterina Rudina Future Technologies Kaspersky Lab

An approach to Separation of Duties validation for MILS security configurations

slide-2
SLIDE 2
  • Discover the

situations requiring the cooperation of separated MILS Domains

  • Describe the

approach(es) to the validation of SoD requirement fulfillment

  • Describe how the

Separation of Duties may help in keeping the main properties provided by MILS Platform

The objectives

slide-3
SLIDE 3

Kaspersky Security System on the MILS Platform

slide-4
SLIDE 4

SoD requirement Security policy

?

How the security policy addresses the concern of Separation of Duties on MILS platform?

slide-5
SLIDE 5

SoD requirement Security policy

?

Challenges

  • Validation of SoD without any regard to the policy

implemented by Security Server

  • Formal definition of SoD requirement to validate
  • Acceptable complexity of the validation algorithm
slide-6
SLIDE 6

Capability-based security policy CFG language SoD requirement Security configuration

?

Challenges

  • Validation of configuration without any regard to

the policy implemented by Security Server

  • Formal definition of SoD requirement to validate
  • Acceptable complexity of the validation algorithm
slide-7
SLIDE 7

7

Security configuration

  • Associates security policies to the particular types of communication and security-related events
  • CFG file is compiled into the code of Security Runtime
slide-8
SLIDE 8

entity communicator { call in = allow; call out = allow; execute default = allow; } entity test { call in = allow; call out = allow; execute default = allow; } simple.cfg entity communicator { call in = allow; call out = allow; call in org.date.SetDate = mls_write; call in org.date.GetDate = mls_read; execute default = mls_init(“top-secret”); } entity test { call in = allow; call out = allow; execute default = mls_init(“unclassified”); execute mls(level) = mls_init(level); } advanced.cfg levels: [“unclassified”, “confidential”, “secret”, “top-secret”] mls.json

slide-9
SLIDE 9

The approach The approach fits the following needs

Verifies that the rights are transferred to subjects that do not have the conflicting rights Facilitates the separation of duties and the keeps the proper isolation of groups

  • f subjects on the MILS platform

Case 1

MILS Domains may share the resources and cooperate, but we need the guarantees that the single Domain is incapable of overcoming the policy constraints and getting excessive privileges

slide-10
SLIDE 10

The approach The approach fits the following needs

Verifies the monopoly access to the critical resource for any Domain at any moment of time Facilitates the scenarios requiring sequential actions on the same resource that are separated due to trustworthiness concerns

Case 2

MILS Domains may implement different actions but their coordination into sequence without the “trusted” coordinating domain is a challenge

slide-11
SLIDE 11

Case 1

slide-12
SLIDE 12

Capability-based security policy CFG language SoD requirement Security configuration

?

Challenges

  • Formal definition of SoD requirement to validate
  • Acceptable complexity of the validation algorithm
slide-13
SLIDE 13

Capability-based security policy CFG language SoD requirement

?

Role-based access control OpSSoD requirement Security configuration RBAC OpSSoD requirement for the particular configuration Semi-formal definition

slide-14
SLIDE 14

Capability-based security policy CFG language SoD requirement

?

Role-based access control OpSSoD requirement Security configuration

slide-15
SLIDE 15

Capability-based security policy CFG language SoD requirement

?

Role-based access control SPM metamodel CFG model in SPM OpSSoD requirement Security configuration

slide-16
SLIDE 16

Capability Capability type ‘Call’ policies allowing the interaction of entities Constraints on the rights transferred within capability ‘Execute’ policies / predefined rules for entities Capability transfer/derive mechanisms

KSS CFG

What concepts we consider

Ticket Type of the ticket Link predicate Filter function Can-create predicate Attenuation of privilege

SPM

How the model reflects these concepts

KSS security configurations in terms of Schematic Protection Model

slide-17
SLIDE 17

Capability-based security policy CFG language SoD requirement

?

Role-based access control SPM metamodel CFG model in SPM OpSSoD requirement OpSSoD requirement in SPM Security configuration

slide-18
SLIDE 18

Subject/Type2 Subject/Type1

OpSSoD requirement in terms of Schematic Protection Model

Resource

slide-19
SLIDE 19

Capability-based security policy CFG language SoD requirement

?

Role-based access control SPM metamodel CFG model in SPM OpSSoD requirement OpSSoD requirement in SPM Criteria for validation the OpSSoD for Security configuration Security configuration

slide-20
SLIDE 20

Criteria for validation the OpSSoD for Security configuration

Check whether the scheme is acyclic (always attenuating) Create “fully unfolded” state Check the criteria fulfillment Create the scheme according to CFG

slide-21
SLIDE 21

Capability-based security policy CFG language SoD requirement

?

Role-based access control SPM metamodel CFG model in SPM OpSSoD requirement OpSSoD requirement in SPM Criteria for validation the OpSSoD for Security configuration Security configuration Validation process OpSSoD requirement for the particular configuration

slide-22
SLIDE 22

Case 2

slide-23
SLIDE 23

Capability-based security policy CFG language SoD requirement Security configuration

?

Challenges

In terms of SPM

  • The subject can't transfer the right for the

monopoly access to the resource

  • The right can't be removed (the scheme is

monothonic)

Monopoly access to resource transferred between subjects

slide-24
SLIDE 24
  • The Linear Rights
  • Only one subject may possess this right at every moment of time
  • When the capability with the linear right is revoked, this right will be given back to

the parent The new type of rights contained by capabilities

The idea of linear rights allows addressing the requirements to the monopoly access to resources

slide-25
SLIDE 25

Capability-based security policy CFG language SoD requirement

?

Simple rights Linear Rights Validation of the constraints related to the use of simple/linear rights Security configuration Validation process Monopoly access to resource transferred between subjects

slide-26
SLIDE 26
  • Main aspects

The single linear right may be added to the scheme without the violation of already verified SoD properties Thus, we can combine the SoD aspect proven as in the Case 1 and fine-grained monopoly access to the resources where needed The linear right can’t be combined with the appropriate simple right. This constraint must be checked before applying the configuration Linear rights

slide-27
SLIDE 27
  • The open question: verification for the composition of the capability-

based control with other policies

  • More types of Separation of Duties
  • More applications/case scenarios to verify

Future work

slide-28
SLIDE 28

LET’S TALK?

Kaspersky Lab HQ 39A/3 Leningradskoe Shosse Moscow, 125212, Russian Federation Tel: +7 (495) 797-8700 www.kaspersky.com